Trying to understand what network security solutions are available, the differences between them, how and when they should be used, can be overwhelming for most organizations. While there are many options to choose from, a typical suite of tools would include an Intrusion Prevention System (IPS), Data Loss Prevention (DLP) software/hardware, and a sophisticated Data-Centric Audit & Protection (DCAP) solution, which deals with User Behaviour Analytics (UBA).
Additionally, many organizations rely on Security Information and Event Management (SIEM) solutions to aggregate and correlate data from the logs these solutions generate, in order to provide an overview of all events that take place on their network.
So, what are Intrusion Prevention Systems, and how useful are they for protecting your network from cyber-attacks?
Intrusion Prevention VS Intrusion Detection
There is often confusion about the difference between an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS). The key difference, as the name suggests, is that IPS solutions are not only able to identify suspicious network traffic but can also automate a response to them. This may include either blocking the network traffic or resetting network connections. Additionally, when an IPS identifies something suspicious, it will send an alert to the administrators, thus prompting them to take action.
For the reasons mentioned above, IPS solutions are sometimes referred to as Intrusion Detection & Prevention Systems (IDPS). There is also some confusion about the difference between an IPS solution and a Firewall. IPS solutions are typically more sophisticated than your average Firewall, although some of the “next generation” Firewalls share many of the same features.
How Intrusion Prevention Works
An IPS will use two different approaches to identify security threats. The first is a signature-based approach, which will either reference a list of previously identified threats, and/or use a service that provides the latest threat intelligence. However, signature-based threat detection is not able to identify new threats.
The second approach is to use statistical analysis to establish an idea about the type of network traffic patterns that are considered normal, and then firing an alert or initiating a response when an anomalous pattern emerges.
As you would expect, most IPS solutions take advantage of both techniques. Another technique that is used by IPS solutions relies on the use of a “honeypot”. A honeypot is a type of trap, which is used to trick an attacker into believing that it contains valuable data. Should an attacker access the honeypot, and alert will be triggered, informing the administrators. Most IPS solutions are network-based (NIPS) and will sit behind an organization’s Firewall. However, there are also host-based IPS solutions (HIPS) and wireless IPS solutions (WIPS). A HIPS solution is installed on the endpoints, and a WIPS solution is used to monitor and detect wireless network anomalies, unauthorized access and radio frequency attacks.
Why IPS Isn’t Enough
There’s no doubt that IPS solutions can play an important role in the keeping your network safe; however, such systems only focus on perimeter and endpoint security -specifically relating to inbound network traffic. Given that most security threats are caused by insiders, an IPS solution will need to be used in conjunction with other solutions, such as Data Loss Prevention (DLP) and Data-Centric Audit & Protection (DCAP), in order to establish a strong security posture.
DLP software can be used to block, quarantine and/or raise an alert as unencrypted data leaves the network, while DCAP solutions are required to monitor user behaviour. For example, DCAP solutions can detect, alert, report and respond to changes made to access privileges and sensitive data. They can detect unauthorised mailbox access, anomalous login failure, suspected user behaviour and much more.
Finally, while SIEM solutions are capable of aggregating and correlating data from multiple sources, they generate a lot of noise and require specialized personnel to setup and maintain – something which must be considered before choosing to implement one.